b76a833882cb44a6b35fef640dd43de95bb5ba3360a81cc4b49ce5aa778918b9

Analysis

max time kernel
146s
max time network
77s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09/07/2023, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba9be4aa6cd650exeexeexeex.exe
Size

204KB
MD5

ba9be4aa6cd65008422a5d11e42c3828
SHA1

d467a1780fabf619a595afeab48561ab3a58d24f
SHA256

b76a833882cb44a6b35fef640dd43de95bb5ba3360a81cc4b49ce5aa778918b9
SHA512

1ccbdfc6b01b7a1742ffd6e939ab8fdc76c7413b26b98b0a992672da98c3193c031c837bf4971c7f91b23ff807f6457a148ca95417c8ada62091325cf7b212f3
SSDEEP

1536:1EGh0oul15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oul1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F6E9BE-2850-4ad5-B537-30E161FA08C1}\stubpath = "C:\\Windows\\{E2F6E9BE-2850-4ad5-B537-30E161FA08C1}.exe"	{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E04A56D1-F023-45bf-8684-97342DA3C362}	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A2FCE11-7EFF-4cba-92F9-967091312DA4}	{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A2FCE11-7EFF-4cba-92F9-967091312DA4}\stubpath = "C:\\Windows\\{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe"	{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D474A288-5727-4324-ABC5-09B11A9A9E34}\stubpath = "C:\\Windows\\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe"	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E04A56D1-F023-45bf-8684-97342DA3C362}\stubpath = "C:\\Windows\\{E04A56D1-F023-45bf-8684-97342DA3C362}.exe"	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{248DC41D-029E-4e6d-BD34-45B45B0352D1}	{E04A56D1-F023-45bf-8684-97342DA3C362}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95AE9B1-1E59-42f0-995C-34D0A2E74004}\stubpath = "C:\\Windows\\{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe"	{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A3E1050-F92F-416c-BC36-E24BB856EF60}\stubpath = "C:\\Windows\\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe"	ba9be4aa6cd650exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75FB25BC-B033-4854-90BF-85343E66F8D5}\stubpath = "C:\\Windows\\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe"	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}\stubpath = "C:\\Windows\\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe"	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D474A288-5727-4324-ABC5-09B11A9A9E34}	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCA9D3E1-078A-412f-B25D-723F58A88B59}	{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCA9D3E1-078A-412f-B25D-723F58A88B59}\stubpath = "C:\\Windows\\{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe"	{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F95AE9B1-1E59-42f0-995C-34D0A2E74004}	{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}\stubpath = "C:\\Windows\\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe"	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}\stubpath = "C:\\Windows\\{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe"	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{248DC41D-029E-4e6d-BD34-45B45B0352D1}\stubpath = "C:\\Windows\\{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe"	{E04A56D1-F023-45bf-8684-97342DA3C362}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F6E9BE-2850-4ad5-B537-30E161FA08C1}	{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A3E1050-F92F-416c-BC36-E24BB856EF60}	ba9be4aa6cd650exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75FB25BC-B033-4854-90BF-85343E66F8D5}	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}\stubpath = "C:\\Windows\\{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe"	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe

Deletes itself 1 IoCs

pid	Process
2356	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe
2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe
920	{E04A56D1-F023-45bf-8684-97342DA3C362}.exe
2572	{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe
2620	{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe
2300	{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe
2592	{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe
2168	{E2F6E9BE-2850-4ad5-B537-30E161FA08C1}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
File created	C:\Windows\{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe
File created	C:\Windows\{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe	{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe
File created	C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	ba9be4aa6cd650exeexeexeex.exe
File created	C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
File created	C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
File created	C:\Windows\{E04A56D1-F023-45bf-8684-97342DA3C362}.exe	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe
File created	C:\Windows\{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe	{E04A56D1-F023-45bf-8684-97342DA3C362}.exe
File created	C:\Windows\{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe	{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe
File created	C:\Windows\{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe	{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe
File created	C:\Windows\{E2F6E9BE-2850-4ad5-B537-30E161FA08C1}.exe	{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe
File created	C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
File created	C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	ba9be4aa6cd650exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
Token: SeIncBasePriorityPrivilege	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
Token: SeIncBasePriorityPrivilege	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
Token: SeIncBasePriorityPrivilege	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
Token: SeIncBasePriorityPrivilege	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
Token: SeIncBasePriorityPrivilege	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe
Token: SeIncBasePriorityPrivilege	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe
Token: SeIncBasePriorityPrivilege	920	{E04A56D1-F023-45bf-8684-97342DA3C362}.exe
Token: SeIncBasePriorityPrivilege	2572	{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe
Token: SeIncBasePriorityPrivilege	2620	{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe
Token: SeIncBasePriorityPrivilege	2300	{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe
Token: SeIncBasePriorityPrivilege	2592	{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1668	3024	ba9be4aa6cd650exeexeexeex.exe	28
PID 3024 wrote to memory of 1668	3024	ba9be4aa6cd650exeexeexeex.exe	28
PID 3024 wrote to memory of 1668	3024	ba9be4aa6cd650exeexeexeex.exe	28
PID 3024 wrote to memory of 1668	3024	ba9be4aa6cd650exeexeexeex.exe	28
PID 3024 wrote to memory of 2356	3024	ba9be4aa6cd650exeexeexeex.exe	29
PID 3024 wrote to memory of 2356	3024	ba9be4aa6cd650exeexeexeex.exe	29
PID 3024 wrote to memory of 2356	3024	ba9be4aa6cd650exeexeexeex.exe	29
PID 3024 wrote to memory of 2356	3024	ba9be4aa6cd650exeexeexeex.exe	29
PID 1668 wrote to memory of 2920	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	30
PID 1668 wrote to memory of 2920	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	30
PID 1668 wrote to memory of 2920	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	30
PID 1668 wrote to memory of 2920	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	30
PID 1668 wrote to memory of 2992	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	31
PID 1668 wrote to memory of 2992	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	31
PID 1668 wrote to memory of 2992	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	31
PID 1668 wrote to memory of 2992	1668	{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe	31
PID 2920 wrote to memory of 1340	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	32
PID 2920 wrote to memory of 1340	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	32
PID 2920 wrote to memory of 1340	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	32
PID 2920 wrote to memory of 1340	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	32
PID 2920 wrote to memory of 2016	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	33
PID 2920 wrote to memory of 2016	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	33
PID 2920 wrote to memory of 2016	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	33
PID 2920 wrote to memory of 2016	2920	{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe	33
PID 1340 wrote to memory of 1164	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	34
PID 1340 wrote to memory of 1164	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	34
PID 1340 wrote to memory of 1164	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	34
PID 1340 wrote to memory of 1164	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	34
PID 1340 wrote to memory of 1528	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	35
PID 1340 wrote to memory of 1528	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	35
PID 1340 wrote to memory of 1528	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	35
PID 1340 wrote to memory of 1528	1340	{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe	35
PID 1164 wrote to memory of 1040	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	36
PID 1164 wrote to memory of 1040	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	36
PID 1164 wrote to memory of 1040	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	36
PID 1164 wrote to memory of 1040	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	36
PID 1164 wrote to memory of 2508	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	37
PID 1164 wrote to memory of 2508	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	37
PID 1164 wrote to memory of 2508	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	37
PID 1164 wrote to memory of 2508	1164	{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe	37
PID 1040 wrote to memory of 2040	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	39
PID 1040 wrote to memory of 2040	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	39
PID 1040 wrote to memory of 2040	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	39
PID 1040 wrote to memory of 2040	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	39
PID 1040 wrote to memory of 2196	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	38
PID 1040 wrote to memory of 2196	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	38
PID 1040 wrote to memory of 2196	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	38
PID 1040 wrote to memory of 2196	1040	{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe	38
PID 2040 wrote to memory of 2692	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	41
PID 2040 wrote to memory of 2692	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	41
PID 2040 wrote to memory of 2692	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	41
PID 2040 wrote to memory of 2692	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	41
PID 2040 wrote to memory of 1412	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	40
PID 2040 wrote to memory of 1412	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	40
PID 2040 wrote to memory of 1412	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	40
PID 2040 wrote to memory of 1412	2040	{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe	40
PID 2692 wrote to memory of 920	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	43
PID 2692 wrote to memory of 920	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	43
PID 2692 wrote to memory of 920	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	43
PID 2692 wrote to memory of 920	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	43
PID 2692 wrote to memory of 2056	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	42
PID 2692 wrote to memory of 2056	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	42
PID 2692 wrote to memory of 2056	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	42
PID 2692 wrote to memory of 2056	2692	{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe	42

C:\Users\Admin\AppData\Local\Temp\ba9be4aa6cd650exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ba9be4aa6cd650exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
  C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
    C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
      C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1340
    - - C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
        
        C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
        
        C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D474A~1.EXE > nul
        7⤵
        
        PID:2196
        
        C:\Windows\{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe
        
        C:\Windows\{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05C5E~1.EXE > nul
        8⤵
        
        PID:1412
        
        C:\Windows\{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe
        
        C:\Windows\{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26FA8~1.EXE > nul
        9⤵
        
        PID:2056
        
        C:\Windows\{E04A56D1-F023-45bf-8684-97342DA3C362}.exe
        
        C:\Windows\{E04A56D1-F023-45bf-8684-97342DA3C362}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe
        
        C:\Windows\{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe
        
        C:\Windows\{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F95AE~1.EXE > nul
        12⤵
        
        PID:2720
        
        C:\Windows\{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe
        
        C:\Windows\{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe
        
        C:\Windows\{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A2FC~1.EXE > nul
        14⤵
        
        PID:2428
        
        C:\Windows\{E2F6E9BE-2850-4ad5-B537-30E161FA08C1}.exe
        
        C:\Windows\{E2F6E9BE-2850-4ad5-B537-30E161FA08C1}.exe
        14⤵
        Executes dropped EXE
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCA9D~1.EXE > nul
        13⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{248DC~1.EXE > nul
        11⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E04A5~1.EXE > nul
        10⤵
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BEAC~1.EXE > nul
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32B22~1.EXE > nul
        5⤵
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75FB2~1.EXE > nul
      4⤵
      PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A3E1~1.EXE > nul
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BA9BE4~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe

Filesize
204KB

MD5
4a312a8d127dfd738b5ea3a4cb05f994

SHA1
69dabfd903dbd41fd5f7ae11f37c4bd678e093b8

SHA256
10ef723082671e67238c238b7de064c78ff447ac50a5db2e97512a8dbfe94478

SHA512
409450969dee8b79d2b6e1156850f3db35fe52e3baf518e09efa172116f5237db8953958e03d2be9c4c2ee5158bc1ab2becd1ae2ffa4fa55ec5d4eee7156d982

Download Submit
C:\Windows\{05C5E0B9-73AD-4606-80F2-067CBA78DE5E}.exe

Filesize
204KB

MD5
4a312a8d127dfd738b5ea3a4cb05f994

SHA1
69dabfd903dbd41fd5f7ae11f37c4bd678e093b8

SHA256
10ef723082671e67238c238b7de064c78ff447ac50a5db2e97512a8dbfe94478

SHA512
409450969dee8b79d2b6e1156850f3db35fe52e3baf518e09efa172116f5237db8953958e03d2be9c4c2ee5158bc1ab2becd1ae2ffa4fa55ec5d4eee7156d982

Download Submit
C:\Windows\{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe

Filesize
204KB

MD5
a54e5efd73963ce37dd608310fc6dc36

SHA1
f6ff8d3110044790500642684f7eb2614e316dda

SHA256
74a53c6c200047958417d1f0cbd78d5cf02e899940e679f4a3bca434dc12538e

SHA512
68215598f01b153f107fe41629067f5fb88a870e5eea2463a4f4e6361eba2ec6ad02aedf0c8e93812e9d7f482dac9ab858dcfb9a4256f41134fb5f69d31938f0

Download Submit
C:\Windows\{0A2FCE11-7EFF-4cba-92F9-967091312DA4}.exe

Filesize
204KB

MD5
a54e5efd73963ce37dd608310fc6dc36

SHA1
f6ff8d3110044790500642684f7eb2614e316dda

SHA256
74a53c6c200047958417d1f0cbd78d5cf02e899940e679f4a3bca434dc12538e

SHA512
68215598f01b153f107fe41629067f5fb88a870e5eea2463a4f4e6361eba2ec6ad02aedf0c8e93812e9d7f482dac9ab858dcfb9a4256f41134fb5f69d31938f0

Download Submit
C:\Windows\{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe

Filesize
204KB

MD5
924285def91fc9b0ea57d4ec64b7fea8

SHA1
e66512b203263297e59d33e6952157bc68e05bb3

SHA256
74bc5c109dc954eb79a335d88ac13f1348a1c2fc296f077aac912b1b3d576acc

SHA512
e5ae03508f1d9e47d476b67eff398686045b0627ebd1c5a05f809e553a76493ae757c70cdf0a2cf2c7c1ebe3c0da2bd2780cc3fe3fa6c72691884efc48c1a58f

Download Submit
C:\Windows\{248DC41D-029E-4e6d-BD34-45B45B0352D1}.exe

Filesize
204KB

MD5
924285def91fc9b0ea57d4ec64b7fea8

SHA1
e66512b203263297e59d33e6952157bc68e05bb3

SHA256
74bc5c109dc954eb79a335d88ac13f1348a1c2fc296f077aac912b1b3d576acc

SHA512
e5ae03508f1d9e47d476b67eff398686045b0627ebd1c5a05f809e553a76493ae757c70cdf0a2cf2c7c1ebe3c0da2bd2780cc3fe3fa6c72691884efc48c1a58f

Download Submit
C:\Windows\{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe

Filesize
204KB

MD5
6f348804854e55ea54f718a39c481fa3

SHA1
94564ace7d9d662c8c99bf30c07f305ec8cc1851

SHA256
8fa8c6bfd37a571a244f07088bfb30ac3ef3db5f23c39b207328c2edd271682b

SHA512
30e3c8764f1fb36eed65696643ec3135f272c56966a862d9dabc6231ff593aa87c5ddac0fc402bc143bc9f8f58ac4c6724b876b7668c4f5ad874cb7301f4ce82

Download Submit
C:\Windows\{26FA85AC-5DFB-4b45-B8F7-C011F2CF9086}.exe

Filesize
204KB

MD5
6f348804854e55ea54f718a39c481fa3

SHA1
94564ace7d9d662c8c99bf30c07f305ec8cc1851

SHA256
8fa8c6bfd37a571a244f07088bfb30ac3ef3db5f23c39b207328c2edd271682b

SHA512
30e3c8764f1fb36eed65696643ec3135f272c56966a862d9dabc6231ff593aa87c5ddac0fc402bc143bc9f8f58ac4c6724b876b7668c4f5ad874cb7301f4ce82

Download Submit
C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe

Filesize
204KB

MD5
09c051a2a377311fa82a40bfa5ed1c07

SHA1
c24ed004b96a1cd5f81e602202ad9d46ed73dc44

SHA256
0e3474ac23054aa29c7fd9794a1b3863ff514cd933754fb3504c754a6941771b

SHA512
6fcf14e54195cb0ad9298f34e57cd2b9e0d4ab50325574e661aa5617ec34944d43ee647c12ecc125978a04a741d302a904d0d0a4f57f84ec674a162dc0089e5b

Download Submit
C:\Windows\{32B22DF3-185E-4bdc-849D-EBE1CFABC05B}.exe

Filesize
204KB

MD5
09c051a2a377311fa82a40bfa5ed1c07

SHA1
c24ed004b96a1cd5f81e602202ad9d46ed73dc44

SHA256
0e3474ac23054aa29c7fd9794a1b3863ff514cd933754fb3504c754a6941771b

SHA512
6fcf14e54195cb0ad9298f34e57cd2b9e0d4ab50325574e661aa5617ec34944d43ee647c12ecc125978a04a741d302a904d0d0a4f57f84ec674a162dc0089e5b

Download Submit
C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe

Filesize
204KB

MD5
3fb240403b36af140dd51ceb099734c1

SHA1
7baa201f9d0dae1f88fbdff83b8bdf2daef4c6df

SHA256
016074c7c2f59828c2c2111b9a554414c646661f10c9233c6c3b6b2f03db7923

SHA512
fdab7af13c5fa20e54b1ab01b2eb47fea309600292ce061a1585a867587f7208ab8ee44daba871ceb81d516a5d95aa1f905c7828760d4f698dc638ca1dbeb738

Download Submit
C:\Windows\{75FB25BC-B033-4854-90BF-85343E66F8D5}.exe

Filesize
204KB

MD5
3fb240403b36af140dd51ceb099734c1

SHA1
7baa201f9d0dae1f88fbdff83b8bdf2daef4c6df

SHA256
016074c7c2f59828c2c2111b9a554414c646661f10c9233c6c3b6b2f03db7923

SHA512
fdab7af13c5fa20e54b1ab01b2eb47fea309600292ce061a1585a867587f7208ab8ee44daba871ceb81d516a5d95aa1f905c7828760d4f698dc638ca1dbeb738

Download Submit
C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe

Filesize
204KB

MD5
f8d9ed28127261d411298d80698911fe

SHA1
b65875cbf39cb945b5acdab4b3d2088d03647626

SHA256
0e3c9cafc3ca980c306e3031cf7ac9804e26f3fe6202022bf1e8b0b2e1c5da82

SHA512
08a353b39173ce8221131136b440795544c65b3554088c18c564fdc80544289b1dd95f9fba57692f0a8ad1f01a5e7937de1eb5444b22dcaf65a6a3f600aa9177

Download Submit
C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe

Filesize
204KB

MD5
f8d9ed28127261d411298d80698911fe

SHA1
b65875cbf39cb945b5acdab4b3d2088d03647626

SHA256
0e3c9cafc3ca980c306e3031cf7ac9804e26f3fe6202022bf1e8b0b2e1c5da82

SHA512
08a353b39173ce8221131136b440795544c65b3554088c18c564fdc80544289b1dd95f9fba57692f0a8ad1f01a5e7937de1eb5444b22dcaf65a6a3f600aa9177

Download Submit
C:\Windows\{7A3E1050-F92F-416c-BC36-E24BB856EF60}.exe

Filesize
204KB

MD5
f8d9ed28127261d411298d80698911fe

SHA1
b65875cbf39cb945b5acdab4b3d2088d03647626

SHA256
0e3c9cafc3ca980c306e3031cf7ac9804e26f3fe6202022bf1e8b0b2e1c5da82

SHA512
08a353b39173ce8221131136b440795544c65b3554088c18c564fdc80544289b1dd95f9fba57692f0a8ad1f01a5e7937de1eb5444b22dcaf65a6a3f600aa9177

Download Submit
C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe

Filesize
204KB

MD5
4972a6518cdfa3f6bf6098a96f25d837

SHA1
7b533879e64f3c4af237a9a2ed6b0c550314a2a5

SHA256
66cca54911a5f5f55caf047eb5f38efcd95c99cccd6e3558a49999a6491bda7d

SHA512
1b106b38c2720dfe5656b7eb96009b7ec106e7581634e3629f59b3215b3fc15edbb2568821ca898514898d60eb0a4fab0780cb366aad54dd432f0057b5ab9a77

Download Submit
C:\Windows\{9BEACACC-97A2-406a-AEE1-F5C3C5486642}.exe

Filesize
204KB

MD5
4972a6518cdfa3f6bf6098a96f25d837

SHA1
7b533879e64f3c4af237a9a2ed6b0c550314a2a5

SHA256
66cca54911a5f5f55caf047eb5f38efcd95c99cccd6e3558a49999a6491bda7d

SHA512
1b106b38c2720dfe5656b7eb96009b7ec106e7581634e3629f59b3215b3fc15edbb2568821ca898514898d60eb0a4fab0780cb366aad54dd432f0057b5ab9a77

Download Submit
C:\Windows\{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe

Filesize
204KB

MD5
3a38733482e06c3df1cb6371916d0e78

SHA1
7555978685834d7bd1de68fcda9180399c78e5d7

SHA256
8a1d61589128b84ecb4422c9ed4f36b47cb66e5e63edf24ab0900485836ab65f

SHA512
471df46d129dbc6be0dc6600df6ad5d4e874c63f44c15492b552b8c7c15ae17cd6165d71e5d2187f6d161acfb9512e258bf476f1483da12b8256889ac006a07a

Download Submit
C:\Windows\{CCA9D3E1-078A-412f-B25D-723F58A88B59}.exe

Filesize
204KB

MD5
3a38733482e06c3df1cb6371916d0e78

SHA1
7555978685834d7bd1de68fcda9180399c78e5d7

SHA256
8a1d61589128b84ecb4422c9ed4f36b47cb66e5e63edf24ab0900485836ab65f

SHA512
471df46d129dbc6be0dc6600df6ad5d4e874c63f44c15492b552b8c7c15ae17cd6165d71e5d2187f6d161acfb9512e258bf476f1483da12b8256889ac006a07a

Download Submit
C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe

Filesize
204KB

MD5
8cc86f8b74d77b5fedce76a0c2c9c170

SHA1
39114940c88453814e8586a7441a9376fdedaf62

SHA256
2aa3bc438a320e6fe8222672a85c8857c587f0cc4af1d5d664127d34ea6c6097

SHA512
8738798d94a57e6837a305d2d11978d4fdfa323273dfea638ebcc46c2b310c1f95735d15dc44e6f22db66be62069613367475e6cc079bf8593cc1c1b6c74b554

Download Submit
C:\Windows\{D474A288-5727-4324-ABC5-09B11A9A9E34}.exe

Filesize
204KB

MD5
8cc86f8b74d77b5fedce76a0c2c9c170

SHA1
39114940c88453814e8586a7441a9376fdedaf62

SHA256
2aa3bc438a320e6fe8222672a85c8857c587f0cc4af1d5d664127d34ea6c6097

SHA512
8738798d94a57e6837a305d2d11978d4fdfa323273dfea638ebcc46c2b310c1f95735d15dc44e6f22db66be62069613367475e6cc079bf8593cc1c1b6c74b554

Download Submit
C:\Windows\{E04A56D1-F023-45bf-8684-97342DA3C362}.exe

Filesize
204KB

MD5
b818217bbd5ecc17f77dd84896bc7010

SHA1
09eda79a1e94e92577239f0e333d1b2e53d685a9

SHA256
29418ec1a8fdc7007556a0f28739e56d596c8a1cb49f36be3e2fd2d0b45df4a8

SHA512
d7c0a4d9c0b23a6538f6878944cf75d1a239f26a62af9a8785dc6655bbbdb11d7ee152de49e6d823dfb374317e28b050562acd850d31fa1f590963461417e38f

Download Submit
C:\Windows\{E04A56D1-F023-45bf-8684-97342DA3C362}.exe

Filesize
204KB

MD5
b818217bbd5ecc17f77dd84896bc7010

SHA1
09eda79a1e94e92577239f0e333d1b2e53d685a9

SHA256
29418ec1a8fdc7007556a0f28739e56d596c8a1cb49f36be3e2fd2d0b45df4a8

SHA512
d7c0a4d9c0b23a6538f6878944cf75d1a239f26a62af9a8785dc6655bbbdb11d7ee152de49e6d823dfb374317e28b050562acd850d31fa1f590963461417e38f

Download Submit
C:\Windows\{E2F6E9BE-2850-4ad5-B537-30E161FA08C1}.exe

Filesize
204KB

MD5
43e58eb82fdb6f89e702324b719ab23e

SHA1
8044a22476369031a2e168024a802ce2d994a513

SHA256
cff1a280071c594f6e06a35da4c2b76bb3577afa6c4679b19d140ce66f07a369

SHA512
93d4c149b0b41e0d0f8dd7f1b1ea4a5ab94803c8b33a82420107417263328a635db5e837aa1f817cc40ede1138b281bef9a75cc02ed0f0c27d444ea350ea8624

Download Submit
C:\Windows\{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe

Filesize
204KB

MD5
15b1b1b968fced60d6a0cfce5caa1133

SHA1
f3f768d0a826fe64d23ce8a672b6ac5a671239f6

SHA256
ae07b20529f5cdc1cbb4f2fead4ffecaf94d67c18dd392e6b282886d4e45b5fa

SHA512
95f7330fd28d539513ec2144ed4e28cbc1b1a1d32763f0096e9e2e68e9a911fd04cd3e924262e4b0c6be8b2b3055bd0e94e28e1fb14d30f73b0fe8d5561c6441

Download Submit
C:\Windows\{F95AE9B1-1E59-42f0-995C-34D0A2E74004}.exe

Filesize
204KB

MD5
15b1b1b968fced60d6a0cfce5caa1133

SHA1
f3f768d0a826fe64d23ce8a672b6ac5a671239f6

SHA256
ae07b20529f5cdc1cbb4f2fead4ffecaf94d67c18dd392e6b282886d4e45b5fa

SHA512
95f7330fd28d539513ec2144ed4e28cbc1b1a1d32763f0096e9e2e68e9a911fd04cd3e924262e4b0c6be8b2b3055bd0e94e28e1fb14d30f73b0fe8d5561c6441

Download Submit